Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

stellarwp — Vulnerabilities & Security Advisories 121

Browse all 121 CVE security advisories affecting stellarwp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

StellarWP primarily develops and maintains premium WordPress plugins, including the popular MemberPress platform for membership management and subscription billing. Historically, its software has been associated with a significant volume of Common Vulnerabilities and Exposures, totaling 115 recorded instances. These security issues predominantly involve cross-site scripting (XSS), SQL injection, and arbitrary file upload flaws, often stemming from insufficient input validation and weak access controls within plugin code. While the company generally responds to disclosed vulnerabilities, the high frequency of patches indicates persistent challenges in secure coding practices. Notable incidents include multiple remote code execution (RCE) vectors that allowed attackers to compromise WordPress installations without authentication. The sheer number of CVEs suggests that while the products are widely used, their security posture has frequently lagged behind industry standards, requiring users to prioritize timely updates and rigorous security auditing to mitigate risks associated with these historically common vulnerability classes.

CVE IDTitleCVSSSeverityPublished
CVE-2025-12197 The Events Calendar 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s — The Events CalendarCWE-89 7.5 High2025-11-05
CVE-2025-12175 The Events Calendar <= 6.15.9 - Missing Authorization to Authenticated (Subscriber+) Draft Event Title/QR Code Exposure — The Events CalendarCWE-862 4.3 Medium2025-10-31
CVE-2025-62027 WordPress Event Tickets plugin <= 5.26.3 - Broken Access Control vulnerability — Event TicketsCWE-862 5.4 Medium2025-10-22
CVE-2025-49906 WordPress WPComplete plugin <= 2.9.5.3 - Broken Access Control vulnerability — WPCompleteCWE-862 5.3 Medium2025-10-22
CVE-2025-11517 Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass — Event Tickets and RegistrationCWE-639 7.5 High2025-10-18
CVE-2025-11228 GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association — GiveWP – Donation Plugin and Fundraising PlatformCWE-862 5.3 Medium2025-10-04
CVE-2025-11227 GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms and Campaigns Disclosure — GiveWP – Donation Plugin and Fundraising PlatformCWE-285 6.5 Medium2025-10-04
CVE-2025-58974 WordPress WPComplete Plugin <= 2.9.5.2 - Cross Site Scripting (XSS) Vulnerability — WPCompleteCWE-79 6.5 Medium2025-09-22
CVE-2025-9808 The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure — The Events CalendarCWE-200 5.3 Medium2025-09-16
CVE-2025-9807 The Events Calendar <= 6.15.1 - Unauthenticated SQL Injection — The Events CalendarCWE-89 7.5 High2025-09-12
CVE-2025-7221 GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Missing Authorization to Donation Update — GiveWP – Donation Plugin and Fundraising PlatformCWE-285 4.3 Medium2025-08-21
CVE-2025-54697 WordPress Kadence WooCommerce Email Designer Plugin <= 1.5.16 - Privilege Escalation Vulnerability — Kadence WooCommerce Email DesignerCWE-266 7.2 High2025-08-14
CVE-2025-8620 GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0 - Unauthenticated Donor Data Exposure — GiveWP – Donation Plugin and Fundraising PlatformCWE-200 5.3 Medium2025-08-06
CVE-2025-7205 GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting — GiveWP – Donation Plugin and Fundraising PlatformCWE-79 5.4 Medium2025-07-31
CVE-2025-5678 Kadence Blocks – Gutenberg Blocks for Page Builder Features <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-79 6.4 Medium2025-07-09
CVE-2025-50046 WordPress WPComplete plugin <= 2.9.5 - Cross Site Scripting (XSS) Vulnerability — WPCompleteCWE-79 6.5 Medium2025-06-20
CVE-2025-4571 GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification — GiveWP – Donation Plugin and Fundraising PlatformCWE-862 5.4 Medium2025-06-19
CVE-2025-5144 The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting — The Events CalendarCWE-79 6.4 Medium2025-06-11
CVE-2025-48246 WordPress The Events Calendar plugin <= 6.11.2.1 - Broken Access Control Vulnerability — The Events CalendarCWE-862 5.4 Medium2025-05-19
CVE-2025-39557 WordPress Kadence WooCommerce Email Designer plugin <= 1.5.14 - Arbitrary File Upload vulnerability — Kadence WooCommerce Email DesignerCWE-434 9.1 Critical2025-04-16
CVE-2025-30794 WordPress Event Tickets plugin <= 5.20.0 - Reflected Cross Site Scripting (XSS) vulnerability — Event TicketsCWE-79 7.1 High2025-04-01
CVE-2025-2331 GiveWP – Donation Plugin and Fundraising Platform <= 3.22.1 - Authenticated (Subscriber+) Sensitive Information Exposure — GiveWP – Donation Plugin and Fundraising PlatformCWE-200 5.3 Medium2025-03-22
CVE-2025-2025 Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function — GiveWP – Donation Plugin and Fundraising PlatformCWE-862 6.5 Medium2025-03-15
CVE-2025-0912 GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection — GiveWP – Donation Plugin and Fundraising PlatformCWE-502 9.8 Critical2025-03-04
CVE-2025-1291 Gutenberg Blocks by Kadence Blocks <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'icon' — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-79 6.4 Medium2025-03-01
CVE-2025-22633 WordPress Give – Divi Donation Modules plugin <= 2.0.0 - Sensitive Data Exposure vulnerability — Give – Divi Donation ModulesCWE-538 5.8 Medium2025-02-23
CVE-2025-1402 Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion — Event Tickets and RegistrationCWE-862 5.3 Medium2025-02-21
CVE-2024-13457 Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure — Event Tickets and RegistrationCWE-284 5.3 Medium2025-01-30
CVE-2025-24537 WordPress The Events Calendar plugin <= 6.7.0 - Cross Site Request Forgery (CSRF) vulnerability — The Events CalendarCWE-352 5.4 Medium2025-01-27
CVE-2024-11090 Membership Plugin – Restrict Content <= 3.2.13 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure — Membership Plugin – Restrict ContentCWE-200 5.3 Medium2025-01-26

This page lists every published CVE security advisory associated with stellarwp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.